分享程序员开发的那些事...
更新时间:2021-12-12 22:53:48
使用字符串,而不是字符文字。
Use strings, not char literals.
name = name.Replace("'", "''");
然而,它听起来就像你串联SQL字符串在一起。这是一个巨大的不要,因为SQL注入的风险的现代应用设计规则。请使用SQL参数来代替。每一个现代DBMS平台支持他们,包括SQL Server和MySQL ADO.NET,甚至Access支持他们。
However it sounds like you're concatenating SQL strings together. This is a huge "DO NOT" rule in modern application design because of the risk of SQL injection. Please use SQL parameters instead. Every modern DBMS platform supports them, including ADO.NET with SQL Server and MySQL, even Access supports them.